Ошибка 691 Доступ запрещен

Установка, настройка, поддержка
Ответить
rengel
Сообщения: 4
Зарегистрирован: Вс апр 06, 2008 9:45 am

Ошибка 691 Доступ запрещен

Сообщение rengel »

Есть abills настроенные по этой теме:

на трех машинах разнесены сервисы:

1) pppoe+radiusclient - 10.240.0.2
2) abills+apachе+freeradius - 10.240.0.3
3) база mysql - 10.240.0.4

делаю:
radtest test testtest 10.240.0.3:1812 0 password 0 10.240.0.2
Sending Access-Request of id 235 to 10.240.0.3 port 1812
User-Name = "test"
User-Password = "testtest"
NAS-IP-Address = 10.240.0.2
NAS-Port = 0
Framed-Protocol = PPP
Re-sending Access-Request of id 235 to 10.240.0.3 port 1812
User-Name = "test"
User-Password = "testtest"
NAS-IP-Address = 10.240.0.2
NAS-Port = 0
Framed-Protocol = PPP
Re-sending Access-Request of id 235 to 10.240.0.3 port 1812
User-Name = "test"
User-Password = "testtest"
NAS-IP-Address = 10.240.0.2
NAS-Port = 0
Framed-Protocol = PPP
Re-sending Access-Request of id 235 to 10.240.0.3 port 1812
User-Name = "test"
User-Password = "testtest"
NAS-IP-Address = 10.240.0.2
NAS-Port = 0
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 10.240.0.3:1812, id=235, length=38
Session-Timeout = 1838212
Framed-IP-Address = 10.240.0.75
Framed-IP-Netmask = 255.255.255.255

В логах freeradius'a:
Thu Jul 10 17:23:01 2008 : Error: Discarding duplicate request from client billing:32768 - ID: 235 due to unfinished request 3
Thu Jul 10 17:23:04 2008 : Error: Discarding duplicate request from client billing:32768 - ID: 235 due to unfinished request 3
Thu Jul 10 17:23:07 2008 : Error: Discarding duplicate request from client billing:32768 - ID: 235 due to unfinished request 3
Thu Jul 10 17:23:08 2008 : Auth: Login OK: [test/testtest] (from client billing port 0)

смущают меня эти duplicate request, при том что админка abillsa жутко тормозит, Хотя на тестовой машине такого не было.

если коннектиться из windows то получаем вот такое:
Thu Jul 10 00:38:28 2008 : Error: Discarding duplicate request from client 10.240.0.3:32768 - ID: 77 due to unfinished request 20
Thu Jul 10 00:38:28 2008 : Auth: Login incorrect (external check said so): [test/<no User-Password attribute>] (from client 10.240.0.3 port 0)


RADIUS plugin initialized.
Plugin radattr.so loaded.
RADATTR plugin initialized.
using channel 29
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <mru 1472> <auth eap> <magic 0x485c88f4>]
rcvd [LCP ConfNak id=0x1 <auth chap MS-v2>]
sent [LCP ConfReq id=0x2 <mru 1472> <auth chap MS-v2> <magic 0x485c88f4>]
rcvd [LCP ConfAck id=0x2 <mru 1472> <auth chap MS-v2> <magic 0x485c88f4>]
rcvd [LCP ConfReq id=0x1 <mru 1480> <magic 0x5cec5ec9> <callback CBCP>]
sent [LCP ConfRej id=0x1 <callback CBCP>]
rcvd [LCP ConfReq id=0x2 <mru 1480> <magic 0x5cec5ec9>]
sent [LCP ConfAck id=0x2 <mru 1480> <magic 0x5cec5ec9>]
sent [LCP EchoReq id=0x0 magic=0x485c88f4]
sent [CHAP Challenge id=0x14 <94433559474ab08673bd9e62cedd5260>, name = "netstar-billing"]
rcvd [LCP Ident id=0x3 magic=0x5cec5ec9 "MSRASV5.10"]
rcvd [LCP Ident id=0x4 magic=0x5cec5ec9 "MSRAS-0-NEW_COMPUTER"]
rcvd [LCP EchoRep id=0x0 magic=0x5cec5ec9]
rcvd [CHAP Response id=0x14 <16c73ccaa9ce7ab7547e7f2a3e2bb92b00000000000000000b4f71360b485e0ff0ec160048ff8454c13940876d39d17100>, name = "test"]
Peer test failed CHAP authentication
sent [CHAP Failure id=0x14 "Unknow server '192.168.10.7'\n"]
sent [LCP TermReq id=0x3 "Authentication failed"]
rcvd [CHAP Response id=0x14 <16c73ccaa9ce7ab7547e7f2a3e2bb92b00000000000000000b4f71360b485e0ff0ec160048ff8454c13940876d39d17100>, name = "test"]
Discarded non-LCP packet when LCP not open
rcvd [CHAP Response id=0x14 <16c73ccaa9ce7ab7547e7f2a3e2bb92b00000000000000000b4f71360b485e0ff0ec160048ff8454c13940876d39d17100>, name = "test"]
Discarded non-LCP packet when LCP not open
rcvd [CHAP Response id=0x14 <16c73ccaa9ce7ab7547e7f2a3e2bb92b00000000000000000b4f71360b485e0ff0ec160048ff8454c13940876d39d17100>, name = "test"]
Discarded non-LCP packet when LCP not open
rcvd [CHAP Response id=0x14 <16c73ccaa9ce7ab7547e7f2a3e2bb92b00000000000000000b4f71360b485e0ff0ec160048ff8454c13940876d39d17100>, name = "test"]
Discarded non-LCP packet when LCP not open
rcvd [CHAP Response id=0x14 <16c73ccaa9ce7ab7547e7f2a3e2bb92b00000000000000000b4f71360b485e0ff0ec160048ff8454c13940876d39d17100>, name = "test"]
Discarded non-LCP packet when LCP not open
rcvd [LCP TermAck id=0x3 "Authentication failed"]
Connection terminated.
pppoe: read (asyncReadFromPPP): Session 29: Input/output error
Waiting for 1 child processes...
script /usr/sbin/pppoe -n -I eth0 -e 29:00:0a:e4:e0:e3:9e -S '', pid 11022
Terminating on signal 15
sending SIGTERM to process 11022
RADATTR plugin removed file /var/run/radattr.ppp0.

словарь microsoft прописан

откуда не возьмись появляется "Unknow server '192.168.10.7'\n" это был ip-адрес на тестовой машине. базу сносил и менял конфиги. непонятно как он тут появился.

и еще вопрос не по abills'y, а обязательно при pppoe соединение чтобы у пользователя windows было какое-то настроенное сетевое соединение?

конфиги:
cat radiusclient.conf
auth_order radius,local
login_tries 4
login_timeout 60
nologin /etc/nologin
issue /etc/radiusclient/issue
authserver 10.240.0.3
acctserver 10.240.0.3
servers /etc/radiusclient/servers
dictionary /etc/radiusclient/dictionary
login_radius /usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout 10
radius_retries 3
login_local /bin/login

root@abills:/etc/freeradius# cat radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}

preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf

radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
preprocess
# chap
# mschap
suffix
# eap
files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}

#!/usr/bin/perl -w
# Abills configuretion file

$PROGRAM='~AsmodeuS~ Billing System';

#DB configuration
$conf{dbhost}='10.240.0.4';
$conf{dbname}='abills';
$conf{dbuser}='abills';
$conf{dbpasswd}='password';
$conf{dbtype}='mysql';
#For MySQL 5 and highter
#$conf{dbcharset}='utf8';

#Mail configuration
$conf{ADMIN_MAIL}='admin@yourhost.com';
$conf{USERS_MAIL_DOMAIN}='yourhost.com';
$conf{MAIL_CHARSET}='windows-1251';
$conf{default_language}='english';
$conf{default_charset}='windows-1251';



@MODULES = ('Dv',
'Voip',
'Docs',
'Mail',
'Sqlcmd');


%ACCT = ();
#For VoIP GNU Gatekeeper accounting
$ACCT{gnugk} = 'Voip_aaa';

%AUTH = ();
#For VoIP GNU Gatekeeper Auth
$AUTH{gnugk} = 'Voip_aaa';



#Technical works
#$conf{tech_works}='Technical works';

#Periodic functions
$conf{p_admin_mails}=1; # Send periodic admin reports
$conf{p_users_mails}=1; # Send user warning messages

# chap encryption decription key
$conf{secretkey}="test12345678901234567890";
$conf{s_detalization}='yes'; #make session detalization recomended for vpn leathed lines
#Check periodic deposit and session. hangup after get negative result
$conf{periodic_check}='yes';

$conf{version}='0.37b'; #16.06.2006

#Octets direction
# server - Count octets from server side
# user - Count octets from user side (default)
$conf{octets_direction}='user';

#Check web interface brute force
$conf{wi_bruteforce}=10;

#Minimum session costs
$conf{MINIMUM_SESSION_TIME}=10; # minimum session time for push session to db
$conf{MINIMUM_SESSION_TRAF}=200; # minimum session trafic for push session to db

#System admin id
#ID for system operation, periodic procces
$conf{SYSTEM_ADMIN_ID}=1;

#Web interface
$conf{PASSWD_LENGTH}=6;
$conf{MAX_USERNAME_LENGTH}=15;
# User name expration
$conf{USERNAMEREGEXP}="^[a-z0-9_][a-z0-9_-]*\$";
$conf{list_max_recs}=25;
$conf{web_session_timeout} = 1800;
$conf{user_chg_passwd}='no';
#Max session traffic Mb
$conf{MAX_SESSION_TRAFFIC} = 2047;


# Exppp options
$conf{DV_EXPPP_NETFILES}='/usr/abills/cgi-bin/admin/nets/';
#Auto assigning MAC in first connect
$conf{MAC_AUTO_ASSIGN}=1;
$conf{KBYTE_SIZE} = 1024;
# Check script rannig time
$conf{time_check}=1;

# Debug mod
$conf{debug}=10;
$conf{foreground}=0;
$conf{debugmods}='LOG_ALERT LOG_WARNING LOG_ERR LOG_INFO';
#show auth and accounting time need Time::HiRes module (available from CPAN)
# Log levels
%log_levels = ('LOG_EMERG' => 0,
'LOG_ALERT' => 0,
'LOG_CRIT' => 0,
'LOG_ERR' => 1,
'LOG_WARNING' => 0,
'LOG_NOTICE' => 0,
'LOG_INFO' => 1,
'LOG_DEBUG' => 7,
'LOG_SQL' => 6);


#Check password from radius or FTP servers for web interface
#Radius
#$conf{check_access} = { NAS_IP => '192.168.101.17:1812',
# NAS_FRAMED_IP => '192.168.101.17',
# NAS_SECRET => 'test'
# };
# FTP
# $conf{check_access} = { NAS_IP => '192.168.101.17:21'
# };

#Firewall start rule numbers
# (GLobal, Class 1, Class 2)
@START_FW = (3000, 2000, 1000);


# Backup SQL data
$conf{BACKUP_DIR}='/usr/abills/backup';


# Folders and files
$base_dir='/usr/abills/';
$lang_path=$base_dir . 'language/';
$lib_path=$base_dir .'libexec/';
$var_dir=$base_dir .'var/';
$conf{SPOOL_DIR}=$base_dir.'var/q';

# Template folder
$conf{TPL_DIR} = $base_dir . 'Abills/templates/';
$conf{LOG_DEBUG} = $base_dir . 'var/log/abills.debug';
$conf{WEB_LOGFILE} = 'weblog.log';
$conf{LOGFILE} = $base_dir . 'var/log/abills.log';
$conf{LOG_ACCT} = $base_dir . 'var/log/acct.log';

#For file auth type allow file
$conf{extern_acct_dir}=$base_dir.'libexec/ext_acct/';

$conf{MAILBOX_PATH}='/var/mail/';
# Low bounds

use POSIX qw(strftime);
$DATE = strftime "%Y-%m-%d", localtime(time);

$TIME = strftime "%H:%M:%S", localtime(time);
$curtime = strftime("%F %H.%M.%S", localtime(time));
$year = strftime("%Y", localtime(time));











#*******************************************************************
# log_print ($level, $text)
#
#*******************************************************************
sub log_print {
my ($level, $text) = @_;

my $DATE = strftime "%Y-%m-%d", localtime(time);
my $TIME = strftime "%H:%M:%S", localtime(time);

if ($conf{debugmods} =~ /$level/) {
if (defined($conf{foreground}) && $conf{foreground} == 1) {
print "$DATE $TIME $level: $text\n";
}
else {
open(FILE, ">>$conf{LOGFILE}") || die "Can't open file '$conf{LOGFILE}' $!\n";
print FILE "$DATE $TIME $level: $text\n";
close(FILE);
}
}

}
Вернуться к началу
NiTr0
Сообщения: 767
Зарегистрирован: Пт фев 08, 2008 4:46 pm

Сообщение NiTr0 »

разбирайтесь сначала с тормозами биллинга. из-за этого duplicate requests.
после - смотрите что пишет радиус (radiusd -X при остановленном сервисе радиуса)
Вернуться к началу
fjey
Сообщения: 99
Зарегистрирован: Сб дек 29, 2007 5:51 pm

Re: Ошибка 691 Доступ запрещен

Сообщение fjey »

rengel писал(а): откуда не возьмись появляется "Unknow server '192.168.10.7'\n" это был ip-адрес на тестовой машине. базу сносил и менял конфиги. непонятно как он тут появился.
/etc/hosts
Вернуться к началу
ran
Сообщения: 2298
Зарегистрирован: Вс окт 21, 2007 2:29 pm

Сообщение ran »

и еще вопрос не по abills'y, а обязательно при pppoe соединение чтобы у пользователя windows было какое-то настроенное сетевое соединение?
нет - можно ваще в настройках езернета отключить ВСЕ сетевые протоколы (в том числе и тсп/ип) у меня так и работает ;) пппое - протокол канального уровня (2 тобишь, не сетевого), он про ип ничё и не знает (и не должен - см. 7-уровневую модель OSI). Соответственно если будет более одного пппое сервера в одном канальном сегменте - будут проблемы :wink: решабельные однако
Вернуться к началу
Ответить

Вернуться в «Linux»